We're back from summer vacation!!! Join us TOMORROW, Thursday, September 21 at 1pm ET / 10am PT, as we resume our normally scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)
No pre-defined topics on the agenda this month, so join us for an informal chat about anything at the intersection of Drupal and nonprofits. Got something specific on your mind? Feel free to share ahead of time in our collaborative Google doc: https://nten.org/drupal/notes!
All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.
This free call is sponsored by NTEN.org and open to everyone.
Join the call: https://us02web.zoom.us/j/81817469653
Meeting ID: 818 1746 9653
Passcode: 551681
One tap mobile:
+16699006833,,81817469653# US (San Jose)
+13462487799,,81817469653# US (Houston)
Dial by your location:
+1 669 900 6833 US (San Jose)
+1 346 248 7799 US (Houston)
+1 253 215 8782 US (Tacoma)
+1 929 205 6099 US (New York)
+1 301 715 8592 US (Washington DC)
+1 312 626 6799 US (Chicago)
Find your local number: https://us02web.zoom.us/u/kpV1o65N
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.
This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.
The core REST and contributed GraphQL modules are not affected.
Drupal Steward partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API.
Solution:Install the latest version:
All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Reported By: Fixed By:If you use Visual Studio Code and DDEV, there's a new extension that may increase your efficiency. The DDEV Manager extension provides a user interface within Visual Studio Code for just about every conceivable DDEV command. As I am a user of both tools, and I often teach and present on the topic of maximizing one's efficiency related to Drupal development when using DDEV and Visual Studio Code, a thorough review of this new extension was a no-brainer for me.
Installation of the extension is typical of any other Visual Studio Code extension - from the "Extensions" sidebar, search for "DDEV manager" and then click to install. No restart of Visual Studio Code is necessary. Upon successful installation, the DDEV icon will be present in the sidebar.
The default view of the DDEV Manager extension is a list of all DDEV projects on the machine. The counter-intuitive thing about it is that if Visual Studio Code is already open to one of the listed projects, its entry on the list isn't highlighted. In fact, from this default view, any DDEV project on the machine can be started. But, there's an icon at the top of the sidebar window that provides the ability to toggle between "All DDEV projects" and "Workspace projects"; I think the latter should be the default. I opened a feature request for this, but it was quickly rejected ☹️. However, there is a "DDEV: Show Projects List" setting in the Visual Studio Code configuration (via the "Code | Settings" menu) that allows the default to be changed.
Each entry in the list has options to start, stop, restart, rename, configure, delete, launch restart, and even a button to open an ssh connection to the DDEV web container. In addition, the contextual menu (see image) provides access to virtually all project-related DDEV commands. Granted, these are all things that basic DDEV commands do, but it is rather nice to have them all represented in the UI. Most of the options work the way you would expect. For example:
One standout, in my opinion, is the Add Services option. It provides a popup dialog listing all of the available DDEV addons. I really like this feature, as discovering these addons is a relatively new feature in DDEV and I think this will really provide a lot of value to the DDEV community. For example, did you know that you could add a Solr or PDFreactor service to DDEV with a single command? Well, now you can do it with a couple of clicks - fantastic!
Clicking the angle bracket to the left of each project name in the interface provides an overview of the current status of the project. A nice surprise was the ability to modify the version of PHP and/or NodeJS used in the DDEV web container via a standard Visual Studio Code popup dialog (see image).
This detailed view of the DDEV project also provides nice touches like buttons to ssh into the project's various service containers, the ability to open the project directory in the OS's native file explorer, and the ability to open the MailHog interface in a browser.
The DDEV Integration plugin for PhpStorm offers similar functionality, but it is more focused on only the currently opened project. It also includes super-useful CLI integration so that tools like phpcs and PhpStan can be run inside the DDEV web container with their results exposed to the PhpStorm UI. This is not a feature that the DDEV Manager extension provides.
Who should use this extension? If you use DDEV and Visual Studio Code, this seems like a no-brainer especially if you enjoy your user interfaces. But, there is one caveat: if you connect to the DDEV web container via the Visual Studio Code Dev Containers extension, then the DDEV Manager extension is irrelevant for your use case.
The developer, Biati Digital, acknowledges that this is a new project and bug reports and feature requests are welcome in the issue queue.
Note: there is an older, seemingly no-longer-maintained DDEV-related extension available for Visual Studio Code called "ddev". At the current time, this extension is not recommended for use.
Privacy and terms of use policies seem to be in constant state-of-flux due to various legal jurisdictions often updating requirements for businesses that operate in their area. Keeping up with all the changes is challenging, to say the least.
For the past few years, DrupalEasy has been using Termageddon.com to help keep our various site policies current. To get started, we provided Termageddon with some details about our business and what type(s) of policies we were looking for. The service then provided us with some HTML/Javascript code snippets that we include on our various policy pages that automatically pull up-to-date content from Termageddon.
While we are notified each time one of our policies change, it all happens automatically. This notification gives us the opportunity to review the changes and discuss with our legal representation, if necessary.
Using a service like this is not a replacement for legal representation - consider it a supplement, at best.
If you're unsure if your site requires a service like this, then it is worth your time investigating. If your site captures user data in any manner (contact forms, Webforms, analytic tools), it probably is a good idea to have a sound set of policies. Termageddon can help make the process of setting up your site's policies easier.
DrupalEasy is an affiliate of Termageddon.com and receives consideration for client referrals.
If you've been a user of Visual Studio Code for your custom Drupal development, then you're probably (hopefully) familiar with this Drupal.org documentation page that provides an overview of recommended extensions and configuration.
In the past, I've recommended using the phpcs extension for integration with Visual Studio Code. I did this knowing full well that there haven't been any new commits to the extension's code since 2018! It worked fine, and it was also the recommended phpcs-related extension on the doc page mentioned above, so I didn't think about it too much.
Recently, in an effort to use phpcs and phpcbf in a slightly different way (more on that another time), I needed to find a more up-to-date extension - I found (and have been using for several months now) the PHP Sniffer & Beautifier extension. This includes all the necessary functionality to display coding standard issues in Visual Studio Code's Problems tab and has been better maintained the past few years (although the maintainer is looking for others to help).
Here's my configuration when using a separate install of Drupal Coder (although different configurations are possible depending on your project and local development stack).
/* PHP Sniffer & Beautifier */
"phpsab.snifferEnable": true,
"phpsab.executablePathCS": "/Users/michael/sites/drupal_coder/vendor/bin/phpcs",
"phpsab.fixerEnable": true,
"phpsab.executablePathCBF": "/Users/michael/sites/drupal_coder/vendor/bin/phpcbf",
"phpsab.standard": "/Users/michael/sites/drupal_coder/phpcs.xml",
"phpsab.snifferMode": "onType",
"phpsab.debug": false,
"phpsab.fixerArguments": [],If you're a Visual Studio Code user and you utilize phpcs and phpcbf as part of your everyday workflow, you may want to consider using this module.
DrupalEasy's Professional Module Development course (Full version) includes configuring both Visual Studio Code and PhpStorm to integrate phpcs, phpcbf, and PhpStan in an efficient manner.
The pixel art image used in this blog post was generated by the DALL-E project of OpenAI.
If you use DDEV and PhpStorm, then the DDEV Integration plugin should definitely interest you (especially if you're into code quality tools like phpcs and PhpStan). If you don't use DDEV and PhpStorm, then the DDEV Integration plugin might entice you to take a fresh look...
It can be arduous to configure PhpStorm to integrate with phpcs and/or PhpStan to show code quality issues in the PhpStorm Problems area as shown here:
In the past, we've often recommended to students and client that they install Drupal Coder alongside their Drupal projects and then point to its binaries of phpcs and PhpStan (utilizing the host operating system's PHP) in order to (somewhat) easily integrate those tools with PhpStorm.
The DDEV integration plugin makes it easy to point to phpcs and PhpStan in each project (assuming drupal/core-dev dependencies are included in the project) and then (here's the magic) utilize the automatically configured (by the DDEV integration plugin) command-line access inside the DDEV web container - awesome!
This configuration allows you to point to your phpcs.xml configuration file using the file path inside the DDEV web container!
DrupalEasy's Professional Module Development course (Full version) includes configuring both Visual Studio Code and PhpStorm to integrate phpcs, phpcbf, and PhpStan in an efficient manner.
Have you been in the situation where you've added a new field to a Drupal content type and you want that field to appear somewhere in the sidebar of the node add/edit page for that content type (instead of in the main column along with all the other fields)?
If so, the following snippet of code, added to a custom module on your site is exactly what you're looking for. In this example, a user reference field with the machine name of field_additional_authors was added to a Blog content type. This code places the field in the Authoring information accordion item in the sidebar:
/**
* Implements hook_form_alter().
*/
function my_module_form_alter(array &$form, FormStateInterface $form_state, string $form_id): void {
// Move the "Additional authors" field to the "Authoring information"
// accordion.
if (in_array($form_id, ['node_blog_edit_form', 'node_blog_form'])) {
$form['field_additional_authors']['#group'] = 'author';
}
}Note that the add and edit forms have slightly different $form_id values.
One of the goals we have at TheDropTimes is to get more people to learn Drupal, and to reach this, we have initiated a project called "Learn Drupal."
Learning Drupal doesn't have to be a steep, uphill task. The journey can be manageable and genuinely enjoyable with the correct "map" at hand and knowing where to look for support.
Drupal Camp Spain is happening this Friday! This year is in Seville, at the Faculty of Computer Science, University of Seville. From Thursday 21st to Saturday 23rd, including not only a lot of talks but also a Business Day where companies or individual freelancers can meet with other Drupal agents and share experiences and ideas.
ImagePhoto by Joan Oger on Unsplash.
A Drupal Camp is an event where a Drupal community can meet and exchange knowledge in real life, as opposed to the digital interactions of the rest of the year. It is the great…